Epic Release!
This week's release includes 5 new modules, 6 enhancements, 4 fixes and 1 documentation update. Among the new additions, we have an account take over, SQL injection, RCE, and LPE! Thank you to all the contributors who made it possible!
New Module Content (5)
Cisco Smart Software Manager (SSM) On-Prem Account Takeover (CVE-2024-20419)
Authors: Michael Heinzl and Mohammed Adel
Type: Auxiliary
Pull request: #19375 contributed by h4x-x0r
Path: admin/http/cisco_ssm_onprem_account
AttackerKB reference: CVE-2024-20419
Description: This is a new module which exploits an account takeover vulnerability in Cisco Smart Software Manager (SSM) On-Prem <= 8-202206, by changing the password of the admin user to one that is attacker-controlled.
WhatsUp Gold SQL Injection (CVE-2024-6670)
Authors: Michael Heinzl and Sina Kheirkhah ( <Sina Kheirkhah (@SinSinology) of Summoning Team (@SummoningTeam)>
Type: Auxiliary
Pull request: #19436 contributed by h4x-x0r
Path: admin/http/whatsup_gold_sqli
CVE reference: ZDI-24-1185
Description: This is a new module which exploits a SQL injection vulnerability in WhatsUp Gold versions before v24.0.0. Successful exploitation allows an unauthenticated remote attacker to change the password of the admin user.
Vicidial SQL Injection Time-based Admin Credentials Enumeration
Authors: Jaggar Henry of KoreLogic, Inc. and Valentin Lobstein
Type: Auxiliary
Pull request: #19453 contributed by Chocapikk
Path: scanner/http/vicidial_sql_enum_users_ ..
Support the originator by clicking the read the rest link below.
